Long-time readers of the blog will know its roots come from my work in customer acquisition, with many posts focusing on exposing and explaining the nefarious tactics that some bad performance-based / affiliate marketers employ. This post is no exception. Quite a few have written about it, including Southwest, but its connection to the performance marketing space is what interests me more than the annoyance it has caused.

I could spend (and have spent) hours walking through the evolution of and mechanisms behind shady online advertising, but they come into being because:

Not all ad impressions are created equal

There are LOTS more average at best but in reality below average ad impressions than there are paying advertisers

Making money off those impressions is hard, very hard, and doing so almost always means leading with some false claim that appeals to a broad audience (Run of Network to use advertising terms)

Having been an observer of the world of shady marketing for quite some time, it goes in cycles. I thought we saw the cycle play out in Facebook. The company has done a commendable job trying to remove non-value providing advertisers even if they could increase the company's bottom line. (Almost no advertiser would pay enough to make up for the value of losing a user.)

The early days of bad ads on Facebook coincided with the heyday of mobile subscription services (crush then IQ). Having been sidelined, the next phase was the flog and farticle who spent on Facebook ads. They still linger amazingly, e.g.,

Thanks to hard work by the FTC, restrictions by ad platforms, and huge losses by affiliate networks, we do not see as many of the fake articles being run. The question then becomes, if you are an affiliate looking to tap into Facebook, what do you do?

Interestingly, we have not seen many in the performance world using Facebook pages (except as jump pages like the Dr. Oz example) or Facebook Connect. That was why my curiosity was piqued when I received an email that had all the hallmarks of bad affiliate advertising (clue 1 - a too good to be true claim) but was tapping into the full power of the Facebook platform, not just the ads.

It started with this message.

The "added a photo of you" but without including that photo in the image is also a sign that something might not be right.

Clicking on "See Photo" took me here (it's a mobile screen grab as it was taken down when I went back)

It's pretty clever. The image looks like one from Southwest, and they even put the person's name in the copy and the image. As you can see, a lot of others were included. In no way does it count as a picture of us though.

Another alert appeared saying that the sender commented on the picture. Here is that part (also from a mobile screen grab):

If you click on the link you get taken here:

It's here that things start to look really suspicious. First and foremost, we are not on Southwest.com or their Facebook page. We are on a page off of a random domain - www.inbizi.info. A quick check of the domain shows too big issues. The first is that going to the domain shows you this:

The second major issue is if you check the WhoIs information, it is private. No truly legitimate business will keep their information private.

Third, Southwest would never promote someone else's app.

Fourth, no app connection or any non-purchase could be worth it to any company to give out free tickets.

But, this is the key to all ad scams. The action required of the user, an app install, seems far outweighed by the potential gain.

By now, it's clear that it's a "scam." Being a glutton for punishment and entirely too curious, I decide to click "Login with Facebook."

The special token (Facebook Connect) process asks you to install Zodio.

Interestingly, the data requests from Zodio are seemingly light - basic info, access to photos, and email address. The big mistake I make is by not changing the permission where it says who can see posts made by the app. I keep it at "Friends," which is perfectly fine for any trustworthy app.

As advertised, a success window shows up after agreeing to install the app.

Next, comes the reward phase. Entering the URL into the promotion page (the inbizi.info one).

Drum roll...

That's right. The "2 FREE Tickets" offer is nothing more than an email submit offer, known colloquially as the Free iPod Offers. (The spammer is just an affiliate looking to make money when people enter their email address. The spammer has no connection to the airline or even the company behind the offer, who is now dealing with hundreds of thousands of complaints.)

As a use, it's bad enough to be tricked into installing an app only to end up on the start of an incentive promotion (go through a registration path, end up being asked to convert of offers in order to earn enough points / dollars to redeem the tickets). That's a let down, but it doesn't compare to the insidious nature of the app which gets installed.

Unfortunately for me and my digital reputation, the original message in which I was tagged was not an exuberant user sharing a faulty deal. It was pure spam by the app, and the extent to which the app rips through your contacts and leverages the virality of Facebook is appalling.

About the time that I landed on the free offer page, the app was busy creating posts on my wall using the photos permission I gave it.

Before I knew it, I've had the same thing happen to me.

At first, I didn't realize that it happened, and I didn't put two and two together about they could do this via photos. So, when I noticed that the app had started to wreak havoc, I thought I could just delete the app and did so two ways.

Deleting through the post:

which leads to:

At the advice of a friend, I also went to my settings, went to apps.

Deleting through Settings:

Then:

My friend also said that I should change my password, as that should help with the fact that they "may still have the data" I "shared with them."

The real genius and the real crime of Zodio is just how it interacted with the photo settings. It didn't just create a photo, tag 30 or so people, then submit a comment on my behalf with the link. It did it MANY times by creating MANY different albums.

So, app removed, I then went to each album, changed the title from promotional to apologetic, then untagged everyone. I certainly wouldn't have invited these people or titled the album as seen below.

Hopefully, I might find someone at the email submit company to try and get a sense of just how much traffic was generated. I don't know how many people who were tagged went through this process, but I wouldn't be surprised if the number were in the hundreds of thousands. Perhaps app dat will pick it up.

As with most scams, there are ways to make more sustainable money, even if you just wanted to leverage Facebook. For me, the hardest part is that these types of scams do incalculable harm. By tagging and posting on the user's behalf, implying endorsement, all without their consent, they may not do the financial harm that some scams do. But most of those scams (See the "Dr. Oz" image above), are infractions against one person. This is damage to reputation and to relationships, which ultimately are far more valuable and much more costly when lost.